The invention relates to methods for transmitting a message between a transmitter and a receiver on a bus. The invention also relates to a control device and a vehicle which are set up to carry out the method for transmitting a message.
In order to protect data communication, the IEC 61508 safety standard requires proof that undetected failures of the communication process are estimated taking into account supposed error scenarios.
In this case, the measures are at the application level and protect the data from the safety-oriented data source to the data sink (so-called end-to-end protection). When considering errors, it is also necessary to estimate, inter alia for the masquerade error scenario, the likelihood of there being an undetected error in the communication process.
The AUDI communication model provides a system based on FlexRay and CAN. A plurality of safety-relevant communication paths can be used in a parallel manner in the communication system. In addition to the active participants in safety-oriented communication, other safety-relevant and non-safety-relevant communication paths are also present. A data-receiving participant in safety-oriented communication may only use the data received from the transmitter relevant to the participant, otherwise there is an undetected masquerade error.
The expression “masquerade” means that the true contents of a message are not correctly identified. For example, a message from an unsafe participant is incorrectly identified as a message from a safe participant.
In the case of a masquerade, the receiver thus assesses a non-authentic message as authentic. In this case, an authentic message means that the message is valid and its information was generated by an authenticated transmitter. The masquerade is usually caused by incorrect routing of a correct message, in which case transmission control devices, the gateway or else the receiver control device can effect the incorrect routing for the safety function under consideration. Errors which result in a masquerade can be divided into the three categories: random hardware faults, systematic software errors and random bit errors on the bus.
Masquerade caused by random hardware faults can be assessed as a requirement imposed on data communication by IEC 61508-2. If any form of data communication is used when performing a safety function, the likelihood of undetected failure of the communication process must be estimated. In this case, transmission errors, repetitions, loss, insertions, incorrect sequence, corruption, delay and masquerade must be taken into account. This likelihood must be taken into account when estimating the likelihood of the dangerous failure of the safety function on account of random hardware failures.
Systematic software errors, for instance as a result of an incorrect configuration, should be precluded by the development process and software or integration tests, in particular in the safety-oriented software of the transmitter and receiver with the end-to-end protection. There is no need to calculate a likelihood of occurrence since these errors occur in a determinate manner and not stochastically.
Random bit errors on the bus may result in incorrect interpretation of the information in the useful data, for instance owing to corruption of the message identifier in CAN and the receiver-selective message evaluation. A transmission code (TC1) for detecting bit errors on the bus has already been provided, according to the protocol, in the bus systems considered for this document. Bit errors which corrupt the message packets fall into the corruption error pattern according to the classification in IEC 61508-2. Bit errors on the bus would be decisive for the masquerade error pattern only when they relate to the identifier, for example in CAN, and the transmission code of the protocol would not detect them with sufficient likelihood.
The following is considered to be a fundamental prerequisite for all safety-oriented systems in the vehicle: partial or complete failure or intermittent or permanent disruption in communication must not lead to a safety-relevant vehicle state.
Requirements are defined for reliably detecting transmission errors in communication. For this purpose, additional information (message counter, checksum) is added to the actual useful data of the transmitter. This information is evaluated in the receiver. In this case, protection is effected end-to-end, that is to say from the safety-oriented software in the transmitter control device to the safety-oriented software in the receiver control device. The data packets generated by the application (safety protocol data units: S-PDUs) thus include useful data and redundancy for error detection.
When using a CRC-8 checksum, there is a maximum number of 256 identifiers for the unambiguous detection of masquerade. The identifier 0 is reserved for those messages which do not require any protection against masquerade. 255 unique identifiers thus remain for allocation to messages which need to be protected against masquerade, equivalent to just as many transmitter/receiver paths.
In the case of qualified errors in the receiver, the useful data or signals are not transferred to the safety-oriented software of the safety function. The safety functions are designed in such a manner that the “safe state timeout” fallback level is assumed in the case of intermittent or permanent disruption. Errors in the signals or useful data which remain undetected during evaluation can sometimes lead to the dangerous incident since the safety-oriented software interprets the incorrect data as valid and builds the calculations or decisions thereon.